GlobaLeaks is a free and open source whistleblowing software that enables the creation of secure whistleblowing projects. It was developed by the Hermes Center for Transparency and Digital Human Rights, an Italian-based NGO supporting freedom of speech online in 2011.
GlobaLeaks does uses the best free software components and infrastructure in terms of security, maintainability and code reuse.
For security purposes, it’s self-contained in all infrastructural components, such as the embedded Web Server leveraging high performance networking framework Twisted along with automatic generation of free digital certificate using Let'sEncrypt and Anonymous Onion Services using Tor . It does encryption operations with GnuPG and Cryptography library based on OpenSSL.
GlobaLeaks is a web application that accepts messages and documents from the web and encrypts them for secure storage. The application offering the source the best anonymous technology now available such as Tor Onion Services and HTTPS with A+ grade certificates without any personal data retention.
For every submissions, the application provides to Whistleblower a receipt that they can use to verify the status of the submission, exchange messages with recipients and provide additional material. Recipients are sent OpenPGP encrypted notifications about new or updates on whistleblower communications.
The entire administration, configuration and maintenance of the platform is done through a feature rich web interface that enable non-technical persons to autonomously setup the system.
To improve information quality and handle complex workflow of information processing among multiple internal and external stakeholders, it does provide a multi-step, multi-context dynamic questionnaire builder useful for lawyers, journalists and activists.
Its nature make it possible for you to download and setup it free of any charge, relying on a technical team to do it (being internal or external to your organization);
GlobaLeaks 3, with multitenancy support that enable to instantiate multiple virtual whistleblowing platform on a single physical server, opened up the opportunity for service providers to starts offering Whistleblowing As a Service, making it much easier and cost-efficient to deploy a new digital whistleblowing initiative.
You can try this functionality by activating your own virtual globaleaks at our demo website.
GlobaLeaks provide a safe environment for communications for whistleblowers, improving information quality being submitted, enabling articulated submission handling workflows for recipients, reducing the technical administration costs and complexity.
The free source nature of GlobaLeaks made it possible to be continuously audited by its community of users and of security experts. Our policy is to have GlobaLeaks audited by a professional, third-party security firm and to publish the reports about the issues and security fixes with radical transparency for the benefit of the project. All the details about the current reports in our availability are published at GitHub. Many are the reports performed by its adopters; If your organization have commissioned a security audit of the software, please share it with us along with the authorizing for making it public to the wider community.
GlobaLeaks is a unique software that makes whistleblowing simple and safe even for non-technical people: everyone can setup their own whistleblowing initiative thanks to its user-friendly design. GlobaLeaks software support multiple use cases such as anticorruption, investigative journalism, corporate compliance, civil rights activism: nowadays is adopted worldwide in more than 30 countries within thousands of whistleblowing sites. The software is free, open source and uses AGPL license: it is continuously implemented by an open community of users, volunteers and contributors working together. Furthermore, the goal that motivated the early development was the idea that whistleblowing should be as local as possible to give everyone the possibility to break the silence against corruption. For this reason, GlobaLeaks is translated in more than 22 languages, including chinese, spanish, arabic, german, french and so on.
No, 100% security is not possible. Any organization or product that promises this kind of security is not telling the truth. Globaleaks’ goal is to create and improve a more secure environment for whistleblowers to share information instead of using normal channels, but you must be aware that there are always risks. Nevertheless, we would like to inform you that GlobaLeaks is constantly updated and audited by third-party security firm, as you can see in our penetration tests GitHub page. Ask your trusted security experts to have a look at GlobaLeaks!
Email and Instant Messaging leaves a lot of communication’s metadata traces within multiple IT systems both at their origin and destination, thus jeopardizing the whistleblower’s confidentiality and/or anonymity. Leveraging the built-in security and anonymity functionalities of the software, it’s possible for the whistleblowers to share it’s reports without leaving any digital trails.
Using an integrated and standard web contact form, that dispatch received messages via email, represent the worst condition for whistleblowers protection in the digital age and thus must be avoided. Contact forms does not protect whistleblower’s digital trails, does not provide any safeguard to the contents of his report while being forwarded by email and does not increase information quality not having a dynamic and interactive submission questionnaire workflows.
In the “analog” domain, an anonymous submission is represented as a letter without a sender, so anonymous tipping is about sending reports without the ability to engage in a bidirectional communication with the recipient.
Thus anonymity is preserved by the whistleblower just by not revealing his identity.
In the “digital domain” the identity of a whistleblower, even when not explicitly communicated, could be revealed by tracking down the “digital origin” of the communication using the so called “IP, unique identifier of the whistleblower’s electronic device (being a phone or a computer).
Thus anonymity in the digital domain can be only preserved protecting the origin of the phone/computer of the whistleblower, by shielding it using Tor and by preventing its automated collection.
GlobaLeaks do provide multiple technical layers of protection of the whistleblower identity, supporting a tunable degree of technical measures balancing the security vs. usability.
GlobaLeaks has been created by Hermes Center for Transparency and Digital Human Rights (italian based NGO) and its initial release was on 6th september 2011. It’s now being developed also by the the Hermes Center’s owned social enterprise “Whistleblowing Solutions” and a variety of stakeholders from the anticorruption public agency’s environment and corporate compliance technology ecosystem.
There are a lot of things on which you can get involved if you want to contribute to GlobaLeaks. If you are a hacker, develop with us. If you know one or more languages and want to make your knowledge available, come join our translation team. If you want to take action against corruption or human rights violation, or simply believe in the GlobaLeaks project, you can donate to support us. Otherwise, check the career page if you want to join our staff or to be a volunteer in the GlobaLeaks project.
GlobaLeaks has been mostly financed with internal grants from the US Open Technology Fund, the dutch Hivos Foundation, EU democracy development projects. Along with public grants, GlobaLeaks project is implementing an economic sustainability model establishing a non-profit social enterprise (“Whistleblowing Solutions Impresa Sociale S.r.l.”) that provide software development and managed Whistleblowing Software As a Service to NGOs, public agencies and corporation reinvesting 100% of the the earning into the GlobaLeaks project itself. It’s a delicate and balanced approach that avoid any “commercialization” of services over GlobaLeaks communication channels, with the goal to foster the development of a wide ecosystem of companies around the world providing support services.
No because GlobaLeaks it’s only a software, that any users will run on its own personal and individual server, where we don’t have any kind of access.
Anyhow it’s worth mentioning that the new GlobaLeaks data encryption schema, would also prevent who’s managing the server running the software, from accessing the reports.
It is not in our scope to collect any sensitive information from you or others. We are software developers. Please carefully look for the right organizations to who blow the whistle to, considering the risks and the effectiveness of action.
By default there’s a size limit of 20MB for each file being shared, but that’s configurable and can be increased to a virtual unlimited size from the web administration interface.
There are several different way that GlobaLeaks can be integrated into an existing website, with the different balances between security and usability.
A landing page providing guidance on how to blow the whistle safely to a GlobaLeaks site, linking the access to it’s unique anonymous (Tor) or Confidential (HTTPS) address, it’s the most common way to do it.
GlobaLeaks does not record IP address, information about the browser, the computer, or operating system of its users. Furthermore, the application does not embed any third-party content or deliver persistent cookies to your browser.
However, it’s very difficult to receive detailed submission from a mobile device, as to write an articulated email from a smartphone.
GlobaLeaks do provide a multiple set of automated protection against spam, from captcha to automatic delay of bot, all of that security features better details in that flood prevention specification document.
To overcome unqualified report, GlobaLeaks provide a flexible submission workflows where multi-step, dynamic multi-choice questionnaires are deployed, achieving the goal to drive the whistleblowers in providing better quality and structured information.
Yes, definitively and we would be happy to know about that.
The only thing you must consider, is the respect and compliance with the free software AGPLv3 license . We would be happy to help you out in that process, within our strategic goal to foster the development of an economic sustainability model around the GlobaLeaks project with multiple independent providers supporting it’s growth.
You can modify GlobaLeaks and redistribute it within the rules of the GNU AGPLv3 license. Any modification of the code must be re-distributed not anyone interacting with the modified GlobaLeaks version, yet the best way is to develop any modification as a new configurable feature and make it integrated officially upstream.
Bear in mind that GlobaLeaks license include Additional Terms according to 7/b clause, requiring any initiative to include in the footer’s web page a “Powered by GlobaLeaks” phrase with an HTML link pointing to https://www.globaleaks.org.